name: Sync Snyk Monitoring
on:
  workflow_dispatch:
  push:
    branches: [master]
    paths:
      - '.github/workflows/sync_snyk-monitor.yml'
      - '**/.snyk'
      - '**/package.json'
      - 'yarn.lock'

# This workflow synchronizes the packages in this repo along with policies in
# each .snyk file with the remote state in our snyk org. It allows us to define
# ignore policies in the .snyk files and then have them show up in the snyk web
# UI, and also automatically adds any new packages that are created.

permissions:
  contents: read

jobs:
  sync:
    permissions:
      contents: read # for actions/checkout to fetch code
      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
    runs-on: ubuntu-latest
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
        with:
          egress-policy: audit

      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - name: Monitor and Synchronize Snyk Policies
        uses: snyk/actions/node@1d672a455ab3339ef0a0021e1ec809165ee12fad # master
        with:
          command: monitor
          args: >
            --yarn-workspaces
            --org=backstage-dgh
            --strict-out-of-sync=false
            --remote-repo-url=https://github.com/backstage/backstage
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
          NODE_OPTIONS: --max-old-space-size=7168

      # Above we run the `monitor` command, this runs the `test` command which is
      # the one that generates the SARIF report that we can upload to GitHub.
      - name: Create Snyk report
        uses: snyk/actions/node@1d672a455ab3339ef0a0021e1ec809165ee12fad # master
        continue-on-error: true # To make sure that SARIF upload gets called
        with:
          args: >
            --yarn-workspaces
            --org=backstage-dgh
            --strict-out-of-sync=false
            --sarif-file-output=snyk.sarif
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
          NODE_OPTIONS: --max-old-space-size=7168
      - name: Upload Snyk report
        uses: github/codeql-action/upload-sarif@379614612a29c9e28f31f39a59013eb8012a51f0 # v3.24.3
        with:
          sarif_file: snyk.sarif
